40. Restrictions on Cross-Border Transfer of Personal
Data. —

(1) Every data fiduciary shall ensure the storage, on a server or data
centre located in India, of at least one serving copy of personal data
to which this Act applies.

(2) The Central Government shall notify categories of personal data as
critical personal data that shall only be processed in a server or data
centre located in India.

(3) Notwithstanding anything contained in sub-section (1), the Central
Government may notify certain categories of personal data as exempt from
the requirement under sub- section (1) on the grounds of necessity or
strategic interests of the State.

41. Conditions for Cross-Border Transfer of Personal
Data. —

(1) Personal data other than those categories of sensitive personal data
notified under sub- section (2) of section 40 may be transferred outside
the territory of India where—

(a) the transfer is made subject to standard contractual clauses or
intra-group schemes that have been approved by the Authority; or

(b) the Central Government, after consultation with the Authority,
has prescribed that transfers to a particular country, or to a
sector within a country or to a particular international
organisation is permissible; or

(c) the Authority approves a particular transfer or set of transfers
as permissible due to a situation of necessity; or

(d) in addition to clause (a) or (b) being satisfied, the data
principal has consented to such transfer of personal data; or

(e) in addition to clause (a) or (b) being satisfied, the data
principal has explicitly consented to such transfer of sensitive
personal data, which does not include the categories of sensitive
personal data notified under sub-section (2) of section 40.

(2) The Central Government may only prescribe the permissibility of
transfers under clause (b) of sub-section (1) where it finds that the
relevant personal data shall be subject to an adequate level of
protection, having regard to the applicable laws and international
agreements, and the effectiveness of the enforcement by authorities with
appropriate jurisdiction, and shall monitor the circumstances applicable
to such data in order to review decisions made under this sub-section.

(3) Notwithstanding sub-section (2) of Section 40,sensitive personal
data notified by the Central Government may be transferred outside the
territory of India—

(a) to a particular person or entity engaged in the provision of
health services or emergency services where such transfer is
strictly necessary for prompt action under section 16; and

(b) to a particular country, a prescribed sector within a country or
to a particular international organisation that has been prescribed
under clause (b) of sub-section(1), where the Central Government is
satisfied that such transfer or class of transfers is necessary for
any class of data fiduciaries or data principals and does not hamper
the effective enforcement of this Act.

(4) Any transfer under clause (a) of sub-section (3) shall be notified to
the Authority within such time period as may be prescribed.

(5) The Authority may only approve standard contractual clauses or
intra-group schemes under clause (a) of sub-section (1) where such
clauses or schemes effectively protect the rights of data principals
under this Act, including in relation with further transfers from the
transferees of personal data under this sub-section to any other person
or entity.

(6) Where a data fiduciary seeks to transfer personal data subject to
standard contractual clauses or intra-group schemes under clause (a) of
sub-section (1), it shall certify and periodically report to the
Authority as may be specified, that the transfer is made under a
contract that adheres to such standard contractual clauses or
intra-group schemes and that it shall bear any liability for the harm
caused due to any non-compliance with the standard contractual clauses
or intra-group schemes by the transferee.